Monday was Data Protection Day. Find out how you can
win the textbook on data
protection.
Google has claimed its data retention policy is forced on it by
an EU law, but that it would keep identifiable customer data for 18
months even if that law did not exist.
Peter Schaar is Germany's Federal Data Protection Commissioner
and Chairman of the group of European privacy regulators the
Article 29 Working Party. He is negotiating with Google over its
retention of logs of user activity combined with identifying
internet protocol, or IP, addresses.
"We are discussing the item with Google, I'm not sure what will
be the outcome, I am optimistic," he told OUT-LAW Radio.
When asked whether he really believed that Google would change
its policies, he said: "they already changed as a result of our
[demands], I think we are not at the end of the street".
A year ago Google stopped keeping IP-identified records
indefinitely and restricted their retention to 18 months, citing
European privacy concerns as a reason for the change.
Google and other search engine and content companies keep a
record of what activity has taken place from individual IP
addresses, including what searches have been requested in search
engines.
Data protection officials have condemned the practice, claiming
that it breaches privacy rules, which state that collected personal
information must be deleted after it has been used.
Google claims that the EU's Data Retention Directive may forc it
to keep data, which it does for 18 months. Privacy officials claim
the Directive does not apply to content companies, only phone
networks and ISPs.
"A service like Google search and other search engines are not
covered by the Retention Directive," said Schaar. "This only covers
internet access services and telecommunications services like email
providers. The general obligation from the European Data Protection
law is that the data must be deleted as soon as possible."
The battle between EU data protection regulators and Google has
been going on for over a year and has focused on the Data Retention
Directive. But focus may be switching to whether or not IP
addresses count as personal data.
Schaar was quoted around the world last as having told a
European Parliament hearing that IP addresses are personal data. In
fact his view is that they should be treated as such for safety,
but they are sometimes not countable as personal data.
"In most cases IP addresses have to be seen as personal related
and therefore the European Directive on Data Protection covers also
the use of IP addresses," he said. "I understand that under
specific circumstances IP addresses are not personal related, but
in general we would say as data protection authorities IP addresses
are personal data because they identify indirectly the user of
computer systems connected to the internet."
Schaar will present a report to the Article 29 Working Party in
February into search engines and their compliance with privacy
laws. He said that he could not reveal its contents, but that he
hoped to get Working Party approval for it at its next meeting in
February.
A Working Party spokesman had previously outlined the scope of
the report. "We want to adopt a comprehensive opinion, saying how
long they can keep data, and which ones," he said last year.
